Role-based access control generally uses the concept of roles in the writing up of a management policy. A role indicates what part is to be played, and a set of authority permissions necessary to play the part is grouped as a role. A subject is assigned a role instead of individual authority permissions. This eliminates the need for a rule maker to write a large number of access control rules which define actions for each subject and each object, and lessens the burden of making access control rules.
FIG. 1 and FIG. 19 of Japanese Unexamined Patent Application Publication (JP-A) No. 11-313102 (hereinafter, referred to as Patent Literature 1) are given as a document that describes a technology related to this invention. An access control method described in the document is a method of generating an access control list that is written as a combination of an accessor and an access target, from an access control policy that is written as a combination of an accessor type, an access target type, and a constraint condition based on an organization structure. This access control method includes subject type group information, which directly associates a subject (accessor) and a subject type, object type group information, which directly associates an object (access target) and an object type, and organization structure information, which expresses the association of the subject and the object with an organization in a single tree structure, and the method uses these to generate only an access control list where the constraint condition is satisfied.